When all the following conditions apply:
2) The server does not perform any sanitization of the submitted text.
3) The server allows text from user1 to be returned to user2 through a DWR Ajax call.
4) User1 tricks user2 into navigating to a specially crafted URL.
Big thanks to Takeshi Terada of Mitsui Bussan Secure Directions and JPCERT for reporting this issue:
Implementation checked in.